Cyber vandals lying low for now

CBS.MarketWatch.com

WASHINGTON (CBS.MW) --Cyber vandals were lying low Thursday as the government turned up the heat on the largest case of computer crime to date, but not before they racked up another kill: Excite.

ExciteAtHome
ATHM, -0.83%
was the last known victim of the denial-of-service attacks, suffering an hour-long outage Wednesday night starting at about 7 p.m. Pacific time. A spokeswoman for Excite said the company was monitoring the site when the assault occurred.

But the cyber vandals kept quiet on Thursday. Keynote Systems, which monitors activity on major Web sites, said it was business as usual. Jackie Price, a spokeswoman at Gomez Advisors, a firm that tracks Web access to e-commerce and e-broker sites, also said there had been no unusual activity. FBI spokesman Steven Berry said that there were no new developments.

Julie Wainwright, chief executive of Pets.com, told CBS.MarketWatch.com that her company has "taken precautionary measures" against the attacks. Pets.com
ipet
is scheduled to go public Friday. Earlier this week, Buy.com
buyx
was hit by Internet vandalism on the day of its IPO.

How long will it last?

"There definitely will be copycats, for sure," said Weld Pond, a research scientist at AtStake, a security consulting firm.

Pond said he believes the attacks that took place Monday, Tuesday and Wednesday were coordinated by one person or a small group of people, since it would take copycats more time to launch similar assaults.

The attacks brought on swift condemnation from federal authorities. On Wednesday, Attorney General Janet Reno said the FBI and the Justice Department are "committed in every way possible to tracking down those responsible."

The FBI is treating the attacks as computer crimes under federal law but didn't rule out the possibility of their source being terrorist groups or hostile foreign governments.

In denial-of-service, or DOS, attacks, the perpetrator plants software on remote computers programmed to send numerous requests for data to a target Web site. The remote computers use fake return addresses, leaving the Web site's servers unable to send authentication information. By sending a high volume of false requests, it effectively cripples the Web site and prevents legitimate users from accessing it.

Security experts have said that these attacks aren't rare. What's new, however, is their scope -- enough to bring down a major site such as Yahoo.

Mitigation, not prevention

The CERT Coordination Center at Carnegie Mellon University, which is assisting the FBI on the case, said the attacks did not share a common tool or method of DOS attack. Furthermore, Web sites can't prevent themselves from falling victim to these assaults. However, there are steps to take to mitigate such problems, the center said.

Perhaps more problematic is that, every minute the sites are down, the e-tailers lose money. Last June, when EBay was down for 22 hours, in part due to growing pains, the online auctioneer warned investors that the downtime could cost it as much as 10 percent of quarterly sales.

Berge Ayvazian, president of The Yankee Group, estimates the damage to the companies at $1 billion -- including the cost of lost business and computer upgrades. His company, a technology research and consulting firm, calculated the figure based on several factors, including the duration of the attacks and the companies' revenue per hour.

The good news is that there's unanimous belief among security experts and e-tailers that consumers' private information hasn't been compromised by the attacks. The nature of the attack is to overwhelm a server, not to wrench information from its data banks.

Indeed, sensitive information such as a person's credit card number is protected by a much more sophisticated level of security, said Matthew Parks, a product manager at Keynote. Denial-of-service attacks are a low-level, relatively unsophisticated way of messing up a Web site.

This week, the sites that were attacked assured consumers and investors that they're beefing up security. But they can't be completely secure.

ZDNet admitted that it can only be prepared to a certain extent. As with any Internet company, it can't arbitrarily kick off any request for data. It's not easy to pinpoint what's a set-up and what's legitimate until after the servers start jamming.

Parks said these sites' Web hosts -- the ones that really have to deal with the attacks -- can analyze vandal "packets" to set up filters to screen them out in the future. But, even so, it's a temporary measure, since the signature of these packets can be changed. Data sent through the Internet is broken up into packets to speed transmission.

Intraday Data provided by SIX Financial Information and subject to terms of use.
Historical and current end-of-day data provided by SIX Financial Information. Intraday data
delayed per exchange requirements. S&P/Dow Jones Indices (SM) from Dow Jones & Company, Inc.
All quotes are in local exchange time. Real time last sale data provided by NASDAQ. More
information on NASDAQ traded symbols and their current financial status. Intraday
data delayed 15 minutes for Nasdaq, and 20 minutes for other exchanges. S&P/Dow Jones Indices (SM)
from Dow Jones & Company, Inc. SEHK intraday data is provided by SIX Financial Information and is
at least 60-minutes delayed. All quotes are in local exchange time.